I second this pony. I like to change my passwords once in a while.
posted by sebas at 6:38 AM on November 19, 2004

Oooooh, you bitch! Handbags at twenty paces, honey! Mmmm-phfff. Oooh!
posted by stavrosthewonderchicken at 6:38 AM on November 19, 2004

Ditto for me. I thought I was being very clever when I made "password" my password. Who knew?
posted by Jart at 6:45 AM on November 19, 2004

OK..raise your hand if you just tried to log in as "Jart/password".
posted by LairBob at 6:59 AM on November 19, 2004

Guilty!
posted by saladin at 7:18 AM on November 19, 2004

We have passwords?
posted by DrJohnEvans at 7:30 AM on November 19, 2004

Yeah, sure, I'll put this on the to do list.
posted by mathowie (staff) at 7:52 AM on November 19, 2004

If we're on security ponies I'd prefer to have something that means I don't leave myself logged in at multiple terminals should I be travelling around. (Apparently they can't repair my short term memory)
posted by biffa at 8:01 AM on November 19, 2004

Thanks for posting this. No answers came up here.
posted by scarabic at 8:59 AM on November 19, 2004

Yeah, sure, I'll put this on the to do list.

Excellent, thanks.
posted by rushmc at 9:23 AM on November 19, 2004

Excellent, thanks.
There's probably a Dilbert cartoon about this, but you know what Matt just said to you?
He said, and I'm paraphrasing here...
"blah, blah, blah, whatever. I've got a todo list which is eight miles long, and your request is at the bottom of it. Blah, blah, blah. Yeah I'll do it. At ten past NEVER. blah, blah, blah"

For your common developer, "Todo List" occupies the same semantic group as "Circular Filing Cabinet" and "The Cheque is in the post"
posted by seanyboy at 9:35 AM on November 19, 2004

Oh seanboy, let him play with his pony for a while before you go shooting it in the head.
posted by kamylyon at 10:01 AM on November 19, 2004

how about getting the user's plain text password out of the source? ain't NEVER seen any other site that sends user passwords with every page.
posted by quonsar at 10:17 AM on November 19, 2004

Yeah, it's true, the security is screwed up here. It's why I didn't want to do a password change, since it would allow others to hijack accounts (even with people having to email me, when pressed for info on their account it turns out they were trying to game someone).

I've been meaning to meld minds with a real programmer over having a real security model here for usernames, but it's not only on my todo list, but something I hope to actually have changed in the next month or so.
posted by mathowie (staff) at 10:25 AM on November 19, 2004

I wish I'd seen this thread before signing up. It might be nice to put a disclaimer on the signup page indicating that new users might have to live with their password choice for quite a while.
posted by rdub at 10:50 AM on November 19, 2004

I'd be more than willing to help with planning / coding the security aspect of things... It's kind of what I do for a living.

I don't know cold fusion, but I can figure out the jist of it pretty quick I'd imagine. Good security is more procedural anyways.

Drop me a line if you think you could use the help.
posted by icey at 12:26 PM on November 19, 2004

OK..raise your hand if you just tried to log in as "Jart/password".

SUCKERS!
posted by Jart at 12:41 PM on November 19, 2004

Well Mat, I assume you have access to everybody's passwords (not like you'd actually take them and do something with them). So why couldn't somebody contact you and have you change it? I know that is a pain, but that way you could verify (via IM, email, or something) they are who they say they are and change their password for them. Yea, it would be a pain for you, but it would hep in keeping accounts from getting jacked.
posted by Numenorian at 1:18 PM on November 19, 2004

Numenorian, that's what I currently do.
posted by mathowie (staff) at 1:41 PM on November 19, 2004

How about a "delete someone else's account" option?
posted by timeistight at 3:27 PM on November 19, 2004

I am actually quite disturbed by this:
<input type="hidden" name="user_pass" value="">

I feel bothered whenever I find out that websites I visit store passwords in plain text without hashing them. Being able to find my passwords in the source of every MeFi, MeTa, and AskMe page I visit...

.

In the meantime, Matt, if you would like to access my Wells Fargo account, I bet you could guess my login information. (This is not actually true, but imagine how many users it would be true for of the 17000+ users MeFi now claims.)
posted by quasistoic at 3:32 PM on November 19, 2004

Yeah, well, Jart, I figured "Either he's an idiot, or he's trying to sucker-punch those of us sitting here with too much time on our hands on a Friday afternoon...either way, I kind of owe him the effort."
posted by LairBob at 3:40 PM on November 19, 2004

Quasistoic - word. Major egg on the face with this one, IMHO.

Passwords have been clear in the source forever, too. There's been a lot of time to think/work on this one. Maybe a few hundred more memberships can buy some consulting time with a specialist?

The time to fix this is BEFORE something bad happens.
posted by scarabic at 4:19 PM on November 19, 2004

my reputation could be sullied by an imposter.
posted by quonsar at 7:41 PM on November 19, 2004

But q, all we'd have to do is demand to see the fish. No imposter has your fish in their pants.
posted by languagehat at 1:10 PM on November 20, 2004

"my reputation could be sullied by an imposter"

Doubt it.
posted by walrus at 7:10 PM on November 20, 2004

You are not logged in, either login or create an account to post comments